network #3: tcp/ipcs161/fa16/slides/network3_tcp.key.pdf · tcp threat: blind spooﬁng • is it...

Computer Science 161 Fall 2016 Popa and Weaver

Network #3:TCP/IP

1


Spot the Zero Day:TPLink Miniature Wireless Router

2


Spot the Zero Day:TPLink Miniature Wireless Router

3


Nick's Apology...

• I'm really going to try to slow down• I'm also really going to try to reduce the "story factor" and check my ego

• Many thanks for the feedback!• And a beg: Don't wait for us to request feedback to give it!• When I'm going too fast or otherwise being a bad professor,

PLEASE TELL ME• You're all smart, if you want anonymity in feedback you can• But be smarter: I want students to feel comfortable in telling me my screwups!

4


Review: VERY key topics

• Network is layered• Wired/Wireless Network: addressed by Ethernet MAC• Broadcast or switched networks• WiFi encryption handshake• ARP/DHCP configuration

• Packet injection attacks• When the attacker sees a request...

• DNS• Distributed database, hierarchical trust• Attacks: Old-school cache poisoning, blind injection poisoning, race condition attacks

(race once vs race-until-win)5


Today:The Internet• How the Internet routes IP packets• Distributed trust through Autonomous Systems

• How TCP works• Denial of Service Attacks• (If time) the Firewall #1

6


IP Packet Structure

7

4-bit Version

4-bit Header Length

8-bit Type of Service

(TOS)16-bit Total Length (Bytes)

16-bit Identification3-bit Flags 13-bit Fragment Offset

8-bit Time to Live (TTL) 8-bit Protocol 16-bit Header Checksum

32-bit Source IP Address

32-bit Destination IP Address

Options (if any)

Payload


IP Packet Structure

8

4-bit Version

4-bit Header Length







Options (if any)

Payload

Specifies the length of the entire IP packet: bytes in this header plus bytes in the Payload


IP Packet Structure

9

4-bit Version

4-bit Header Length







Options (if any)

Payload

Specifies how to interpret the start of the Payload, which is the header of a Transport Protocol such as TCP or UDP


IP Packet Structure

10

4-bit Version

4-bit Header Length







Options (if any)

Payload


IP Packet Structure

11

4-bit Version

4-bit Header Length







Options (if any)

Payload


IP Packet Structure

12

4-bit Version

4-bit Header Length







Options (if any)

Payload


IP Packet Header (Continued)

• Two IP addresses• Source IP address (32 bits)• Destination IP address (32 bits)

• Destination address• Unique identifier/locator for the receiving host• Allows each node to make forwarding decisions

• Source address• Unique identifier/locator for the sending host• Recipient can decide whether to accept packet• Enables recipient to send a reply back to source

13


IP: “Best Effort ” Packet Delivery

• Routers inspect destination address, locate “next hop” in forwarding table

• Address = ~unique identifier/locator for the receiving host

• Only provides a “I’ll give it a try” delivery service:• Packets may be lost• Packets may be corrupted• Packets may be delivered out of order

14

source destination

IP network


IP Routing:Autonomous Systems• Your system sends IP packets to the gateway...• But what happens after that?

• Within a given network its routed internally• But the key is the Internet is a network-of-networks• Each "autonomous system" (AS) handles its own internal routing• The AS knows the next AS to forward a packet to

• Primary protocol for communicating in between ASs is BGP

15


Packet Routing on the Internet

16

AS 1

AS 2

AS 3

AS 4

AS 5

AS 4

Sender

Recipient


Remarks

• This is a network of networks• Its designed with failures in mind:

Links can go down and the system will recover• But it also generally trust-based• A system can lie about what networks it can route to!

• Each hop decrements the TTL• Prevents a "routing loop" from happening

• Routing can be asymmetric• Since in practice networks may (slightly) override BGP, and

17


IP SpoofingAnd Autonomous Systems• The edge-AS where a user connects should restrict packet

spoofing• Sending a packet with a different sender IP address

• But about 25% of them don't...• So a system can simply lie and say it comes from someplace else

• This enables blind-spoofing attacks• Such as the Kaminski attack on DNS

• It also enables "reflected DOS attacks"

18


On-path Injection vs Off-path Spoofing

19

Host A

Host BHost E

Host D

Host C

Router 1 Router 2Router 3

Router 4

Router 5

Router 6 Router 7

Host A communicates with Host D

On-path

Off-path Off-path


Lying in BGP

20

AS 1

AS 2

AS 3

AS 4

AS 5

AS 4

Sender

Recipient


Lying in BGP

21

AS 1

AS 2

AS 3

AS 4

AS 5

AS 4

Sender

Recipient


TCP

22

Application

Transport

(Inter)Network

Link

Physical

7

4

3

2

1

Source port Destination port

Sequence number

Acknowledgment

Advertised windowHdrLen Flags0

Checksum Urgent pointer

Options (variable)

Data


TCP

23


Sequence number

Acknowledgment



Options (variable)

Data

These plus IP addresses define a given connection


TCP

24


Sequence number

Acknowledgment



Options (variable)

Data

Used to order data in the connection: client program receives data in order


TCP

25


Sequence number

Acknowledgment



Options (variable)

Data

Used to say how much data has been received


TCP

26


Sequence number

Acknowledgment



Options (variable)

Data

Flags have different meaning:SYN: Synchronize,used to initiate a connection

ACK: Acknowledge, used to indicate acknowledgement of data

FIN: Finish, used to indicate no more data will be sent (but can still receive and acknowledge data)

RST: Reset, used to terminate the connection completely


TCP Conn. Setup & Data Exchange

27

Client (initiator)IP address 1.2.1.2, port 3344

ServerIP address 9.8.7.6, port 80

SrcA=1.2.1.2, SrcP=3344,DstA=9.8.7.6, DstP=80, SYN, Seq = x

SrcA=9.8.7.6, SrcP=80,

DstA=1.2.1.2, DstP=3344, SYN+ACK, Seq = y, Ack = x+1

SrcA=1.2.1.2, SrcP=3344,DstA=9.8.7.6, DstP=80, ACK, Seq = x+1, Ack = y+1SrcA=1.2.1.2, SrcP=3344, DstA=9.8.7.6, DstP=80, ACK, Seq=x+1, Ack = y+1, Data=“GET /login.html

SrcA=9.8.7.6, SrcP=80, DstA=1.2.1.2, DstP=3344,

ACK, Seq = y+1, Ack = x+16, Data=“200 OK … <html> …”


TCP Threat: Data Injection

• If attacker knows ports & sequence numbers (e.g., on-path attacker), attacker can inject data into any TCP connection• Receiver B is none the wiser!

• Termed TCP connection hijacking (or “session hijacking”)• A general means to take over an already-established connection!

• We are toast if an attacker can see our TCP traffic!• Because then they immediately know the port & sequence numbers

28

SYN

SYN

ACK

ACK

Dat

a ACK

timeA

B

Nas

ty D

ata

Nas

ty D

ata2


TCP Data Injection

29



SrcA=1.2.1.2, SrcP=3344, DstA=9.8.7.6, DstP=80, ACK, Seq=x+1, Ack = y+1, Data=“GET /login.html

...

Attacker (AirPwn, QUANTUM, etc)IP address 6.6.6.6, port N/A

SrcA=9.8.7.6, SrcP=80,DstA=1.2.1.2, DstP=3344,

ACK, Seq = y+1, Ack = x+16 Data=“200 OK … <poison> …”

Client dutifully

processes as server’s response


TCP Data Injection

30



SrcA=1.2.1.2, SrcP=3344, DstA=9.8.7.6, DstP=80, ACK, Seq=x+1, Ack = y+1, Data=“GET /login.html

...

AttackerIP address 6.6.6.6, port N/A

SrcA=9.8.7.6, SrcP=80,DstA=1.2.1.2, DstP=3344,

ACK, Seq = y+1, Ack = x+16 Data=“200 OK … <poison> …”Client ignores since already

processed that part of bytestream: the network can duplicate packets

so only pay attention tothe first version in sequence

SrcA=9.8.7.6, SrcP=80, DstA=1.2.1.2, DstP=3344,

ACK, Seq = y+1, Ack = x+16, Data=“200 OK … <html> …”


TCP Threat: Disruptionaka RST injection• The attacker can also inject RST packets instead of

payloads• TCP clients must respect RST packets and stop all communication• Because its a real world error recovery mechanism• So "just ignore RSTs don't work"

• Who uses this?• China: The Great Firewall does this to TCP requests• A long time ago: Comcast, to block BitTorrent uploads• Some intrusion detection systems: To hopefully mitigate an attack in progress

31


TCP Threat: Blind Hijacking

• Is it possible for an off-path attacker to inject into a TCP connection even if they can’t see our traffic?

• YES: if somehow they can infer or guess the port and sequence numbers

32


TCP Threat: Blind Spoofing

• Is it possible for an off-path attacker to create a fake TCP connection, even if they can’t see responses?

• YES: if somehow they can infer or guess the TCP initial sequence numbers

• Why would an attacker want to do this?• Perhaps to leverage a server’s trust of a given client as identified by its IP

address• Perhaps to frame a given client so the attacker’s actions during the

connections can’t be traced back to the attacker

33


Blind Spoofing on TCP Handshake

34

Alleged Client (not actual)IP address 1.2.1.2, port N/A


Blind AttackerSrcA=1.2.1.2, SrcP=5566, DstA=9.8.7.6,

DstP=80, SYN, Seq = z

SrcA=9.8.7.6, SrcP=80,

DstA=1.2.1.2, DstP=5566, SYN+ACK, Seq = y, Ack = z+1

Attacker’s goal:SrcA=1.2.1.2, SrcP=5566, DstA=9.8.7.6, DstP=80, ACK, Seq = z+1, ACK = y+1

SrcA=1.2.1.2, SrcP=5566, DstA=9.8.7.6, DstP=80, ACK, Seq = z+1, ACK = y+1, Data

= “GET /transfer-money.html”



35

Alleged Client (not actual)IP address 1.2.1.2, port NA




SrcA=9.8.7.6, SrcP=80,

DstA=1.2.1.2, DstP=5566, SYN+ACK, Seq = y, Ack = x+1

Small Note #1: if alleged client receives this, will be confused ⇒ send a RST back to server … … So attacker may need to hurry! But firewalls may inadvertently stop this reply to the alleged client so it never sends the RST 🤔



36

Alleged Client (not actual)IP address 1.2.1.2, port NA




SrcA=9.8.7.6, SrcP=80,


Big Note #2: attacker doesn’t get to see this packet!



37

Alleged Client (not actual)IP address 1.2.1.2, port N/A




SrcA=9.8.7.6, SrcP=80,


So how can the attacker figure out what value of y to use for their ACK?

SrcA=1.2.1.2, SrcP=5566, DstA=9.8.7.6, DstP=80, ACK, Seq = z+1, ACK = y+1

SrcA=1.2.1.2, SrcP=5566, DstA=9.8.7.6, DstP=80, ACK, Seq = z+1, ACK = y+1, Data

= “GET /transfer-money.html”


Reminder: Establishing a TCP Connection

38

SYN

SYN+ACK

ACK

A B

DataData

Each host tells its Initial Sequence Number

(ISN) to the other host.

(Spec says to pick based on local clock)

Hmm, any way for the attacker to know this?

Sure – make a non-spoofed connection first, and see what

server used for ISN y then!

How Do We Fix This?

Use a (Pseudo)-Random ISN


Summary of TCP Security Issues

• An attacker who can observe your TCP connection can manipulate it:

• Forcefully terminate by forging a RST packet• Inject (spoof) data into either direction by forging data packets• Works because they can include in their spoofed traffic the correct sequence

numbers (both directions) and TCP ports• Remains a major threat today

39


Summary of TCP Security Issues

• An attacker who can observe your TCP connection can manipulate it:• Forcefully terminate by forging a RST packet• Inject (spoof) data into either direction by forging data packets• Works because they can include in their spoofed traffic the correct sequence numbers (both

directions) and TCP ports• Remains a major threat today

• If attacker could predict the ISN chosen by a server, could “blind spoof” a connection to the server• Makes it appear that host ABC has connected, and has sent data of the attacker’s choosing,

when in fact it hasn’t• Undermines any security based on trusting ABC’s IP address• Allows attacker to “frame” ABC or otherwise avoid detection• Fixed (mostly) today by choosing random ISNs

40


But wasn't fixed completely...

• CVE-2016-5696• "Off-Path TCP Exploits: Global Rate Limit Considered Dangerous" Usenix Security

2016 • https://www.usenix.org/conference/usenixsecurity16/technical-sessions/

presentation/cao

• Key idea:• RFC 5961 added some global rate limits that acted as an information leak:• Could determine if two clients were communicating on a given port• Could determine if you could correctly guess the sequence #s for this communication• Required a third host to probe this and at the same time spoof packets

• Once you get the sequence #s, you can then inject arbitrary content into the TCP stream (d'oh)

41


The Bane of the Internet:The (distributed) Denial of Service Attack• Lets say you've run afoul of a bad guy...• And he don't like your web page• He hires some other bad guy to launch a "Denial of Service" attack

• This other bad guys controls a lot of machines on the Internet

• These days a million systems is not unheard of

• The bad guy just instructs those machines to make a lot of requests to your server...

• Blowing it off the network with traffic42


And the Firewall...

• Attackers can't attack what they can't talk to!• If you don't accept any communication from an attacker, you can't be exploited

• The firewall is a network device (or software filter on the end host) that restricts communication• Primarily just by IP/Port or network/Port

• Default deny:• By default, disallow any contact to this host on any port

• Default allow:• By default, allow any contact to this host on any port

• More when we discuss Intrusion Detection next week43

network #3: tcp/ipcs161/fa16/slides/network3_tcp.key.pdf · tcp threat: blind spooﬁng • is it...

Documents